At a glance.
- China's plans for a national cybersecurity barrier.
- A US Federal role in the open-source software supply chain?
- A look at proposed reporting deadlines.
China cyberspace regulator publicizes cybersecurity plans.
In a statement on its website, China’s cyberspace regulator says it plans to establish a comprehensive internet governance system and construct a solid national cyber security barrier, Reuters reports. The statement added that China “will win the battle for core technologies in the information field” and emphasized the regulator’s goal of bolstering mainstream online opinion.
Log4j highlights need for federal support of open-source software.
The recently discovered Log4j vulnerability has drawn attention to the need to bolster the security of open-source software, and Politico posits that it’s time for the federal government to step in to support the open-source development community. Because most open-source software is developed by tech employees whose companies’ products rely on the code, the developer community is disconnected and not properly focused on security. The past year has seen some improvement efforts; the Linux Foundation’s Open Source Security Foundation drafted a vulnerability disclosure guide for developers, supplied guidance for building security protections into the code, and even created a security certificate for updates. And Google has promised to donate $100 million to open-source security.
However, experts feel that government support is essential. Brian Behlendorf, the Open Source Security Foundation’s general manager, states, said federal grants as low as $50,000 could be enough to support a team devoted to open-source security. Consistent developer use of a software bill of materials (SBOM), a content list that details the provenance of the code, could help users detect vulnerable code, but few developers have the technology to maintain an accurate SBOM. Allan Friedman, a senior adviser and strategist at the US Cybersecurity and Infrastructure Security Agency who previously oversaw SBOM work at the National Telecommunications and Information Administration, explains, “Transparency in the software supply chain is going to be critical…to understand where our exposures are, where our risks are and where the opportunities to help are.”
It’s worth noting that proposals for Federal involvement envision resources more than they do direction or regulation.
Thirty-six hour incident reporting requirements for US banks.
JDSupra offers an overview of the US’s new cyberincident reporting requirement for banking organizations passed in November by the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation. Coming into effect on April 1, 2022, the rule requires banking organizations and their bank service providers to report any “significant” cybersecurity incident within 36 hours of detection. The rule applies to any banking organization regulated by the aforementioned agencies (though the term “banking organization” is defined slightly differently for each agency), as well as “bank service providers,” or any company or person who performs services subject to the Bank Service Company Act. The upshot is that all banking organizations should review and update existing security incident response policies and update any contracts they have with service providers to ensure they are in compliance by May 1.